Hong Kong recently passed a cybersecurity law aimed at strengthening critical infrastructure protection. The law mandates that operators within vital sectors such as banking, healthcare, and transportation enhance their cybersecurity measures. Starting in 2026, operators will be required to report cybersecurity incidents within two hours, with penalties up to HK$5 million ($640,000) for noncompliance. This law specifically targets infrastructure vital to the functioning of the economy and society, ensuring that vital services remain secure and operational.
Chris Tang, Hong Kong’s security chief, explained that the law was designed to prevent disruptions or sabotage of critical systems.
These disruptions could affect public safety, the economy, and even national security. The bill covers eight industries, including banking, financial services, energy, healthcare, and communications, among others. The government will notify operators of potential risks but will not disclose their identities to protect them from becoming targets of malicious actors.
The law also mandates annual security risk assessments and independent security audits every two years.
These measures aim to continuously assess and mitigate risks to critical infrastructure. The government sees this as a necessary step to safeguard the society’s well-being, given the potential ripple effects of an attack. Any severe security incident will need to be reported within two hours, ensuring timely responses to protect the public and economy.
Authorities emphasized that the law is not designed to target personal information or commercial secrets. Instead, it focuses on securing the systems essential for public and economic stability. Additionally, major sports venues and research parks are covered by the bill. This approach reflects the government’s commitment to addressing the growing cybersecurity threats faced by both public and private sectors.
